This article covers a general methodology available in the software industry to address cyber security. Though several methodologies and options are available in public domain to address cyber security, the trick lies in applying/implementing it to build a secure solution without major impact on the performance and user experience.
The product/solution development cycle has to go through a systematic approach of handling cyber security threats. The additional steps required in classical software development cycle (iterative or non-iterative) to address cyber security related issues are shown in Fig 1. The process of undertaking a systematic approach to develop secure software products or solution is known as Threat Modelling.
Fig1: The Software development cycle process additions to address cyber security aspects
The security aspects need to be looked into from the beginning of product development process to generate corresponding artefacts. The security Architect and Tester role needs to be played by somebody in team to address cyber security. The Abuse cases are developed while creating use cases to understand and/or identify un-intended user interactions. Threat modelling is done while architecture is being developed to identify the vulnerabilities in system. Threat modelling gives some more requirements to Architects to incorporate. The security architect also plays a key role in reviewing design and implementation from the vulnerabilities point of view. On the other hand, architect/designer reviews play an equally important role for functionality completion. The tester covers functionality, performance, and other parameters. Security testers focus on vulnerabilities to break the system using different set of tools. The deployment and manufacturing configurations also need to be considered during product development to avoid any security threats. The product needs to be re-looked into security aspects whenever new features are added or whenever a new threat arises.
The Threat modelling process includes (1) Identifying vulnerability in a product (2) Identifying the threats due to vulnerability (3) Prioritizing the threats (4) Identifying the control mechanism (5) Deciding mitigation strategy based on complexity and importance of the threat (6) Implementing the control mechanism in a product (7) Profiling the threats after implementing control mechanism in a product.
There are standard methods available to address vulnerabilities and some of them include STRIDE, OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), PASTA (Process for Attack Simulation and Threat Analysis), TRIKE, VAST (Visual, Agile, and Simple Threat modelling), etc.
Fig2: Steps involved in addressing vulnerabilities in product or system or solution
The first step is to identify the vulnerabilities in a system. The threat model can look into the following aspects in a system/product to identify vulnerabilities
(1) Hardware (Serial, Ethernet etc.) and Software (API, SDK etc) Interfaces exposed (2) Data Flow (Authentication, Configuration etc.), which is coming in/going out of the system (3) Data at Rest (Key, measurement data, Users table etc.), which is stored in the system (4) Hardware (memory, Timer etc.) and Software (Firmware, Algorithm, etc.) components in the system.
The threat identification can be done using one of the following methods:
- Software centric – In this approach, software architecture diagrams (such as use case, data flow, component/sequence diagram, etc.) are used to identify the vulnerabilities. The threats, control mechanisms, and secure coding standards are applied to each software components. Microsoft SDL and Threat Analysis & Modeling (TAM) tools can be used to do software centric modeling.
- Asset centric – This method involves identifying vulnerabilities to access the asset. The asset could be used table, firmware, database, ports, interfaces, etc. The attack trees and attack graphs are generated using this method. This graph helps to identify multiple steps or paths to reach the asset. Trike and Amenaza’s Securitree methods/tools are used to generate graphs.
- Attacker centric – This process involves understanding the attacker’s motivation, characteristics and skill sets to exploit vulnerabilities in the system. The type of attack could be Accidental Discovery (ordinary user), Automated Malware (security researcher), The Curious Attacker, Script Kiddies, The Motivated Attacker, and Organized Crime.
The threats can be categorized based on the method chosen. STRIDE model categorizes the threat as follows:
- Spoofing Identity
- Tampering with Data
- Information Disclosure
- Denial of Service
- Elevation of Privilege
The next step is to prioritize the threats/vulnerability based on impact, reproducibility, etc. The following method could be used for prioritizing (DREAD). The Rank is higher when the priority number is higher. The number 1 to 10 has to be chosen for each of the parameter to calculate the number.
Priority number = (D + R + E + A + D) / 5.
Damage Potential: 0 = Nothing and 10 = Complete destruction
Reproducibility: 0 = Very hard or impossible and 10 = Very easy
Exploitability: 0 = Advanced programming/knowledge required and 10 = easily exploitable
Affected Users: 0 = None and 10 = All users
Discoverability: 0 = Very hard/Impossible and 10 = Easy to discover
The next step is to choose the control mechanism suitable for the identified threat. Some of the control mechanisms (but not limited to) are: Authentication, Authorization, Cryptography (Certificates), Data Input Validation, White listing/Blacklisting (ACL) users/IP, Cookie management, Session management, Secure execution environment (Secure code and secure boot), Running with least privilege, Error handling, Auditing, Logging, etc.
After going through the threats and control mechanism, the team can decide whether they want to mitigate it or transfer it to a customer. The transfer of threats to the customer is chosen. This is done in case it is challenging to implement in the product or if there is any dependency on other subsystems where there is no direct control to change/implement.
The mitigation plan is executed after making the decisions as described above. This phase involves development of control mechanisms and verification of the same. The threats identified will be categorised as “Fully mitigated”, “Partially mitigated” and “not mitigated” based on the state of execution of this phase.
Some of the tools/softwares used for finding vulnerability/verifying control mechanisms are: Wireshark, Nmap, OpenVAS, Samurai framework, Safe3 scanner, Nesus, Ethereal, Ettercap, Air Crack, Air Snort, Dsniff, Airpwn, File2air, Dinject/Reinject, Capture and Injection Tools, Jamming and Injection Tools, Integrity, Authentication and Confidentiality Attacking Tools, Cracking Software’s, Sniffer, Winsniffer, and Password Dictionary.
The companies realise that adapting mechanisms to control vulnerabilities in system is very important irrespective of the domain or software or firmware. Addressing security threats and challenges at each domain, software, and used case will be different. The specific methods and tools used to identify and control threats in software/system/product is of individual choice based on the specific need.
It is much more important to keep Threat modeling documents locked under safe repository. The documents have all information about product and system vulnerability and control mechanisms.
- Threat Modeling – Designing for Security by Adam Shostack
This article has been authored by Channabasavaraj R, Senior Architect, Industrials BU, Sasken Technologies Limited